Register Globals

Friday, June 15, 2007

If your PHP scripts stil rely on register_globals, then I must say.. where had you been? I mean, since PHP 4.20 register_globals has been set off by default, thus your script must not rely on register_globals for security reason. What kind of security reason? Register_globals made it easy for PHP programmers to code. Every variables, whether it's from POST, GET, SESSION, COOKIES, FILES or any other else can be called only by referencing to their variable name. So if have a form that POST $name to let's say file process.php then ini file process.php I can easily call the variable simply using $name. The problem is, it's also easy for attacker or any other people to manipulate the $name variable, the easiest example is making the same named variable but making it not by method POST, e. g

http://somesite.com/process.php?name=somenamehere

which is making a name variable via GET method with value 'somenamehere'. That happens because register_globals threat every variable whether it's POST, GET, or any other that I have metioned before as the same. The above example is about manipulating a POST method using GET. What will happen if the same way used to manipulate SESSION? I believe you get the point. What if ALL scripts I wrote before rely on register_global? First thing, you must change the way you code from now on. Then, fix your scripts so they're compatible with register_globals = Off. The fix is simple, you'll just have to change your variables from $something to $_GET["something"], or $_POST["something"] depending on what method the variables were made from. Ah, you had lots of files that almost impossible to change all the variable, copy paste this script, save it on a file, then include the file to every scripts that rely on register_globals. Here's the scripts:
foreach($_POST AS $key => $value) { ${$key} = $value; } foreach($_GET AS $key => $value) { ${$key} = $value; } foreach($_SESSION AS $key => $value) { ${$key} = $value; } //add your methods (if any) here like the above example
I think the scripts is well self-explained. Other resources about register_globals can be found here and here, and many others using google.

0 comments: